diff --git a/warehost-api/defaults/main.yml b/warehost-api/defaults/main.yml index 9fbcb8c..1d7f177 100644 --- a/warehost-api/defaults/main.yml +++ b/warehost-api/defaults/main.yml @@ -4,3 +4,4 @@ warehost_api_internal_ip: 127.0.0.1 warehost_api_internal_port: 60990 warehost_api_ssl: true warehost_api_domain: api.warehost.de +http_usr: http diff --git a/warehost-api/tasks/caddy.yml b/warehost-api/tasks/caddy.yml index bccd720..63691ce 100644 --- a/warehost-api/tasks/caddy.yml +++ b/warehost-api/tasks/caddy.yml @@ -1,4 +1,4 @@ --- - name: Configurate caddy - template: src=caddy.conf dest=/etc/caddy/hosts/80-warehost-api.act owner=http mode=0644 + template: src=caddy.conf dest=/etc/caddy/hosts/80-warehost-api.act owner={{http_usr}} mode=0644 notify: reload caddy diff --git a/warehost-api/tasks/nginx.yml b/warehost-api/tasks/nginx.yml index b7caf30..61a568b 100644 --- a/warehost-api/tasks/nginx.yml +++ b/warehost-api/tasks/nginx.yml @@ -6,5 +6,5 @@ when: warehostv2_api_ssl - name: Configurate nginx - template: src=nginx.conf dest=/etc/nginx/servers/80-{{ warehost_api_domain }}.act owner=http mode=644 + template: src=nginx.conf dest=/etc/nginx/servers/80-{{ warehost_api_domain }}.act owner={{http_usr}} mode=644 notify: reload nginx diff --git a/warehost-db/tasks/main.yml b/warehost-db/tasks/main.yml index 7561d61..fe32802 100644 --- a/warehost-db/tasks/main.yml +++ b/warehost-db/tasks/main.yml @@ -1,12 +1,14 @@ --- - name: Create database - become: postgres + become: true + become_user: postgres become_method: su postgresql_db: name={{ warehost_db_dbname }} when: warehost_db_pass is defined - name: Create users for database - become: postgres + become: true + become_user: postgres become_method: su postgresql_user: db={{ warehost_db_dbname }} name={{ warehost_db_user }} password='{{ warehost_db_pass }}' register: createdb diff --git a/warehost-ftp/defaults/main.yml b/warehost-ftp/defaults/main.yml index dd98479..397f9b1 100644 --- a/warehost-ftp/defaults/main.yml +++ b/warehost-ftp/defaults/main.yml @@ -1,6 +1,7 @@ --- warehost_db_host: localhost -warehost_ftp_port: 22 +warehost_ftp_port: 21 warehost_ftp_data_path: /srv/ftp warehost_ftp_host_path: /srv/http/domain warehost_ftp_web_path: /srv/http/web +http_grp: http diff --git a/warehost-ftp/tasks/main.yml b/warehost-ftp/tasks/main.yml index 05f7395..e889b11 100644 --- a/warehost-ftp/tasks/main.yml +++ b/warehost-ftp/tasks/main.yml @@ -3,7 +3,7 @@ copy: src=warehost-ftp dest=/usr/local/bin/warehost-ftp owner=root group=root mode=0755 - name: Create data folder - file: path={{warehost_ftp_data_path}} state=directory owner=warehost group=http mode=0770 + file: path={{warehost_ftp_data_path}} state=directory owner=warehost group={{http_grp}} mode=0770 - name: Configurate warehost template: src=config.yml dest=/etc/warehost/ftp.conf owner=warehost mode=0600 diff --git a/warehost-ftp/templates/warehost-ftp.unit b/warehost-ftp/templates/warehost-ftp.unit index fd525b6..46b8aa7 100644 --- a/warehost-ftp/templates/warehost-ftp.unit +++ b/warehost-ftp/templates/warehost-ftp.unit @@ -11,5 +11,13 @@ Group=nobody ExecStart=/usr/local/bin/warehost-ftp -c /etc/warehost/ftp.conf Restart=always +PrivateTmp=true +PrivateDevices=true +ProtectHome=true + +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE + + [Install] WantedBy=multi-user.target diff --git a/warehost-host/defaults/main.yml b/warehost-host/defaults/main.yml index 5cf420f..337d42a 100644 --- a/warehost-host/defaults/main.yml +++ b/warehost-host/defaults/main.yml @@ -8,3 +8,4 @@ warehost_host_db_host: "" warehost_host_db_user: root warehost_host_db_pass: "{{ lookup('password', 'credentials/mysql_root length=15') }}" warehost_host_db_prefix: warehost_db +http_grp: http diff --git a/warehost-host/tasks/main.yml b/warehost-host/tasks/main.yml index 2b95518..7f42949 100644 --- a/warehost-host/tasks/main.yml +++ b/warehost-host/tasks/main.yml @@ -11,7 +11,7 @@ notify: restart warehost-host - name: Configurate warehost-host - file: path={{warehost_host_web_path}} state=touch owner=warehost group=http mode=0660 + file: path={{warehost_host_web_path}} state=touch owner=warehost group={{http_grp}} mode=0660 - name: Install service template: src=warehost-host.{{item}} dest=/lib/systemd/system/warehost-host.{{item}} owner=root mode=644 diff --git a/warehost-web/defaults/main.yml b/warehost-web/defaults/main.yml index 45ac772..f5f9e5f 100644 --- a/warehost-web/defaults/main.yml +++ b/warehost-web/defaults/main.yml @@ -3,3 +3,4 @@ warehost_db_host: localhost warehost_web_internal_ip: 127.0.0.1 warehost_web_internal_port: 60000 warehost_web_webroot: /srv/http/web +http_grp: http diff --git a/warehost-web/tasks/main.yml b/warehost-web/tasks/main.yml index bc77063..c0c91b2 100644 --- a/warehost-web/tasks/main.yml +++ b/warehost-web/tasks/main.yml @@ -3,7 +3,7 @@ copy: src=warehost-web dest=/usr/local/bin/warehost-web owner=root group=root mode=0755 - name: Create web folder - file: path={{warehost_web_webroot}} state=directory owner=warehost group=http mode=0770 + file: path={{warehost_web_webroot}} state=directory owner=warehost group={{http_grp}} mode=0770 - name: Configurate warehost template: src=config.yml dest=/etc/warehost/web.conf owner=warehost mode=0600